Fed2 Star - the newsletter for the space trading game Federation 2

The weekly newsletter for Fed2
by ibgames

EARTHDATE: May 17, 2015

Fed2 Star last page Fed2 Star: Official News page 10 Fed2 Star index

WINDING DOWN

An idiosyncratic look at, and comment on, the week's net, technology and science news
by Alan Lenton

A different format this week. I’m taking a look at an extremely dangerous and arrogant decision by Mozilla, purveyors of the Firefox web browser. There’s also some interesting URLs for you to browse through, covering Amazon’s latest stockholder letter, Verizon buying the rump of AOL (whatever happened to Steve Case, by the way?), a look at the internet as a prototype, Windows 10 updating, Tesla’s much hyped new battery system, schools and Silicon Valley, a security gagging, and women in tech.

You barely got the issue this week – between the need to completely shut down and restart the game’s cloud server so that the operator’s patch fixing the VENOM bug could take effect, combined with power cuts, meant the time available was at a minimum. We keep having power cuts – there’s a fault on the cable connecting to the sub-station round the corner.

The problem, so the power company tells us, is that the local council won’t let them dig up the road until there have been a certain number of blow outs. So, every time it happens, we have to wait for a repair man to come out and fix it – usually at least an hour for the whole block to be without power.

The fix he put in this time must have been thought up by a computer programmer. Instead of the company locating and fixing the underlying fault, they put in a sort of hopper containing half a dozen fuses, so that every time a fuse goes it shoves a new one in. The power now comes back up within a minute or so (until the fuses run out, of course). Not, of course, that it makes much difference if you make heavy use of IT – it still knocks the computer out, and requires the ‘didn’t shut down properly’ rituals to be gone through when you fire it back up...

Still it looks like with this last power cut we have passed the magic number of cuts to get a permit to dig up the road. So in the not too distant future, we may just get the underlying problem fixed. One can but hope (or buy a large UPS at vast cost).

Next week is a long scheduled week off, so there won’t be an issue. It’s a public holiday here in the UK, which means it will pour with rain for the whole time. Rumour has it that the British empire was founded and run by Brits trying to get away from British weather.

We will be back the week after, our power company and the local council permitting...

Analysis: Mozilla and HTTPS

Mozilla, makers of the Firefox browser, recent announced plans to cripple Firefox. Starting soon, they plan to make their users jump through hoops to visit sites that use the HTTP protocol. HTTP is the unencrypted version of the protocol used for transferring data from the web server to your browser. Banks and other sites handling money and sensitive information use the encrypted version – HTTPS. So in the near future, if you plan to go to sites that don’t use HTTPS you will get ‘scary’ (their description) warnings popping up all over the place.

Is this a good idea?

No! Definitely not. Much as it might sound like a good thing after all the material flooding the net about government monitoring of material on the web, it will actually make things much worse. This is  because secure connections do not exist in isolation. Behind every server using HTTPS is a network of interlocking certificates called a ‘Public Key Infrastructure’ (PKI).

PKI works like this, roughly speaking, and leaving out the gory details. PKI starts with a certificate, which is a long unique number, belonging to the server using HTTPS. That certificate has to be purchased from a recognized authority, known  as a Certificate Authority (CA).

When your browser contacts the server, the server tells your browser who issued the certificate, and some of the details. Your browser then contacts the web site of the CA and asks it to verify the certificate and the server. Once that is done, you have verified that the server you are talking to and the browser can set up an exchange of keys to use to encrypt all the traffic between your browser and the server.

So what’s the problem then?

Well there are a number of problems. For a start the CAs are commercial entities, and, understandably, want cold, hard, cash to provide you with a certificate. And the certificates have a limited life time, usually one, two or three years, depending on how much you cough up for them, so you have to keep going back and paying more.

The second problem is that since the purpose of the certificate is to allow the CAs to confirm that you are really are who you say you are (i.e. how do you know your browser is really talking to your bank?), they want lots of details from you before they issue a certificate. Too bad if you live in a country with a repressive regime.

There aren’t very many CAs around, because of what’s involved, and also because to be an effective CA you have to persuade the browser makers to ship their browsers with the details of how to log securely onto the CA’s site in order to verify certificates they’ve issued! In Chrome you can look at the CA’s credentials by going to Settings|Show advanced settings|HTTPS/SSL. Click the ‘Manage certificates...’ button, and then click on the ‘Trusted Root Certification Authorities’. I suggest you stop at that point, unless you really know what you are doing – in which case you don’t need to read this article! My browser has certificates from less than two dozen root authorities. That’s not very many considering the billions of servers there are out there connected to the internet. This gives governments just a handful of organizations to put the screws on when they want information. That makes the server certificate a single point of failure.

Finally, there is the question of installing a certificate on your server. I think that putting this certificate in place is the most complex thing I’ve ever done on a computer – and that includes writing the 70,000 lines of code that make up my Federation multi-player game. I’ve included a URL to ArsTechnica’s explanation of how to do it, so you can see for yourself what’s involved. Oh! And by the way, installing the first certificate is the easy bit – installing a replacement certificate when the original one expires is even more of a pain! Would you like to do it, just so you can post your blog, cat pictures, etc?

Finally, the truth is that many sites don’t need HTTPS. What’s so secret about what’s on Wikipedia, for instance? Or take our own ibgames.com site – all it contains is manuals, news and a couple of pieces of open source software. You can go and get the source for those from BitBucket if you want. Basically it comes down to who is going to be able, and eventually perhaps even allowed, to publish on the internet. At the moment it’s anyone. In the future, if the likes of Mozilla succeed, it could be just the people that the government, or some commercial entity permits.

How long will it be before Mozilla succeeds in turning the open internet into a broadcast media service like the movies, radio and television used to be in the last century?
http://phys.org/news/2015-05-mozilla-https-web.html
https://medium.com/@b_k/https-the-end-of-an-era-c106acded474
http://www.infoworld.com/article/2917575/encryption/mozillas-firefox-https-or-bust.html
http://lauren.vortex.com/archive/001099.html
https://plus.google.com/+LaurenWeinstein/posts/N5c2RiTSBPf
http://arstechnica.com/security/2009/12/how-to-get-set-with-a-secure-sertificate-for-free/

Scanner:

Jeff Bezos reveals Amazon’s brutal scale in annual letter
http://www.theregister.co.uk/2014/04/10/amazon_bezos_shareholder_letter/

Verizon to buy AOL in $4.4B bet on mobile, video [I’m wondering if I should care about this! – AL]
http://www.cnet.com/news/verizon-to-acquire-aol-for-4-4-billion-in-digital-push/

The Internet is just a prototype
http://us1.campaign-archive1.com/?u=f105fd56904428bca9da44a82&id=b43e9a4a12&e=eab3a9dc66

How Windows 10 updating will work: The devil’s in the details
http://www.infoworld.com/article/2918514/operating-systems/how-windows-10-updating-will-work-devils-in-details.html

Tesla’s new battery system – two different views
http://www.gizmag.com/tesla-battery-powerwall/37283/
http://www.theregister.co.uk/2015/05/04/tesla_powerwall_the_game_change_flavoured_battery/

Our schools all have a tragic flaw; Silicon Valley thinks it has the answer
http://www.psmag.com/business-economics/our-schools-all-have-a-tragic-flaw-silicon-valley-thinks-it-has-the-answer

Security bods gagged using DMCA on eve of wireless key vuln reveal
http://www.theregister.co.uk/2015/05/05/ioactive_security_research_gagging_order/

It’s not women who are the problem in tech land
http://www.cnet.com/news/women-arent-the-problem-in-tech-land/

Acknowledgements

Thanks to readers Barb and Fi for drawing my attention to material for Winding Down.

Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Thunderbird spam filter...

Alan Lenton
alan@ibgames.com
17 May 2015

Alan Lenton is an on-line games designer, programmer and sociologist, the order of which depends on what he is currently working on! His web site is at http://www.ibgames.net/alan/index.html.

Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html.

Fed2 Star last page   Fed2 Star index